SB2026011649 - openEuler 24.03 LTS SP3 update for cpp-httplib
Published: January 16, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) CRLF injection (CVE-ID: CVE-2026-21428)
The vulnerability allows a remote attacker to inject arbitrary HTTP headers.
The vulnerability exists due to insufficient validation of attacker-supplied data. A remote attacker can send a specially crafted HTTP request to the application containing CR-LF characters and modify application behavior. When combined with a server that supports http1.1 pipelining this can be used for server side request forgery attacks.
2) Resource exhaustion (CVE-ID: CVE-2026-22776)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when handling compressed HTTP request body. The library validates the payload_max_length against the compressed data size received from the network, but does not limit the size of the decompressed data stored in memory. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.